Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-private-use-tld-01.txt
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 19 April 2021 18:35 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4C9A3A3E23 for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 11:35:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7rg1rx2EVEE for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 11:35:13 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12BD63A3E25 for <dnsop@ietf.org>; Mon, 19 Apr 2021 11:35:12 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id u22so7117495vsu.6 for <dnsop@ietf.org>; Mon, 19 Apr 2021 11:35:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8t6vcNcJMS3ZaMjlhNaEEtZ07LpveeE5hYy64zKlh2M=; b=bRqPeg09UnMNERH9hgnj/kdAjDzGhyff2sRZ+EFpETxMwMH5jaRbqMV0+CyCj3xUSC FS5fyeE5yPfgphhdu4GU1z8n7RUwxkfQ3zGkszq3/mWtqjLrO96Ie0LkR90AHfDIj4Yn RpvfZrqceSZvRHnncvsStFMjrmtpvlB8XafwscB9S8tj5BFWvJyVRF9cWV3rVwbaWZae jzDfKWdxLy8F+XF7OHkSMPeEVnI04saprv8RXLJN7jNSb5SgGi/I2fl0dYY7RmLul7te d1MJdKxqE8aH8aZHCvE2yUZMJm9DRRhNaiFdpTrxgsHAAoUW8qC+WSTLCp8HhoXrsZgb 5rdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8t6vcNcJMS3ZaMjlhNaEEtZ07LpveeE5hYy64zKlh2M=; b=eympvLa5tQhT3+j8Sd0C6hESThNl92C+bGowvm901VpciVwnr3TBiNZ9MF5Di4DZLL OmP+vega4ETuztBmw2Lgl8xvFUSy8WC782/S5pVIXXJXyPnOjz+/bQgcuae0bHW1c/5z lkY1jLbz15iRsEHT2ZYHLseASPFjFaABeQl9K5Ymw8eeXQUP1bpEpLu2qBPWlGHuLdxW VMfZwCg8/xJr6xmFpxaRom5mnS6hSO9TkysiBZf4fvoHajdGw709xaktsXQ2CI6R0jjd qkc/GMAHn5cZ1IMrmWOSPpavjR/YqE8oxkNkOqctVj5iZwEWErMK6hSwvrUaUc2o76U9 pjIg==
X-Gm-Message-State: AOAM532A0CqIn+0keSzI4gH5nthL+HTHJRUgYpLQi8HNLlgQKPqyoYua GpS58PeeZtFzd1Let9EV1PPJlptCICQoAv2z7go=
X-Google-Smtp-Source: ABdhPJzURjCsHgBRPfwBsKV2pq6KfS4c2n5ospUWzWHRt9GX/OOU8irA+LL7sR36q2VSlUE0LjOwnekjHm+yC6WqonY=
X-Received: by 2002:a05:6102:2d5:: with SMTP id h21mr7289181vsh.58.1618857311220; Mon, 19 Apr 2021 11:35:11 -0700 (PDT)
MIME-Version: 1.0
References: <161805873252.19178.11471347094062424385@ietfa.amsl.com> <88395F35-AF22-489C-B9D6-2FFE4EB1A767@depht.com> <5F3F8198-23EA-4BA9-A07E-EF7AB035CE72@icann.org> <70F7005D-6F8B-4BC0-BDAF-A415F62A7E8E@depht.com> <8E609BE8-B440-4E29-B454-724055A0DFF2@icann.org>
In-Reply-To: <8E609BE8-B440-4E29-B454-724055A0DFF2@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 19 Apr 2021 11:35:00 -0700
Message-ID: <CAH1iCirXsv=k9bwzWG5--e2FGTfL8GM=CSviyiaf=hkUBZG0aQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: Andrew McConachie <andrew@depht.com>, DNSOP Working Group <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fa372505c05796e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/znb81OWPrNbkwewpjG8f-VA_Jak>
Subject: Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-private-use-tld-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 18:35:18 -0000
On Mon, Apr 19, 2021 at 9:34 AM Paul Hoffman <paul.hoffman@icann.org> wrote: > On Apr 19, 2021, at 7:17 AM, Andrew McConachie <andrew@depht.com> wrote: > > > > > > > > On 16 Apr 2021, at 17:18, Paul Hoffman wrote: > > > >> On Apr 16, 2021, at 5:31 AM, Andrew McConachie <andrew@depht.com> > wrote: > >> > >>> If I understand section 4.3 correctly, DNSSEC validating stub > resolvers SHOULD NOT resolve these names. Is that the intention of Section > 4.3? > >> > >> No, definitely not. The text says: > >> 3. Name resolution APIs and libraries SHOULD NOT recognise these > >> names as special and SHOULD NOT treat them differently. Name > >> resolution APIs SHOULD send queries for these names to their > >> configured caching DNS server(s). > >> Not recognizing them as special means to treat them like any other > name. There is no mention of DNSSEC. > >> > > > > I realize now my question was unclear. My understanding is that a DNSSEC > validating stub SHOULD attempt to validate these names, which will fail. > Therefore a DNSSEC validating stub cannot use these names. > > That's correct, as it would be for any private-use TLD. In fact, it's not > just about validating stubs: an organization wanting to use a private-use > TLD cannot have validating stub resolvers or validating recursive resolvers > anywhere in the organization. > I think there is value in highlighting the root problem, and its implications. Private-use TLDs will fail DNSSEC validation which uses the IANA DNSSEC Root Trust Anchor. Organizations using names beneath such private-use TLDs while operating validating recursive resolvers or validating stub resolvers need to also manage trust anchors for those domains on those hosts. Such a trust anchor could be used to either sign the domain, or prove the unsigned nature of the domain. (It may be an implementation-specific issue and/or specification issue, as to how multiple trust anchors are handled. I.e. I'm not 100% sure off hand if the current specifications are compatible with my statements. If they aren't, IMHO they should be either revised or made more clear so as to support use cases like this.) Brian Dickson
- [DNSOP] I-D Action: draft-ietf-dnsop-private-use-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-private-… Andrew McConachie
- [DNSOP] Questions on draft-ietf-dnsop-private-use… Paul Hoffman
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Andrew McConachie
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… Paul Hoffman
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… John Levine
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… Brian Dickson
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… John Levine
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Donald Eastlake
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Roy Arends
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Jaap Akkerhuis
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Joe Abley
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Jim Reid
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… David Conrad
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… Paul Hoffman
- Re: [DNSOP] Questions on draft-ietf-dnsop-private… Donald Eastlake
- Re: [DNSOP] [Ext] Questions on draft-ietf-dnsop-p… Matthew Pounsett